On Wednesday, Facebook CEO Mark Zuckerberg finally ended days of silence and set out on a media tour to explain Facebook’s role in the Cambridge Analytica data scandal. In a New York Times interview, journalist Kevin Roose asked Zuckerberg if he would notify all of the users affected:

Kevin Roose: Is Facebook planning to notify the 50 million users whose data was shared with Cambridge Analytica?

Mark Zuckerberg: Yes. We’re going to tell anyone whose data may have been shared. Now, there’s a question of whether we have the exact record in our systems today of who your friends were on that day when there was access three and a half or four years ago, so we’re going to be conservative on that and try to tell anyone whose data may have been affected, even if we don’t know for certain that they were. It’s likely that we’ll build a tool like we did with the Russian misinformation investigation, that anyone can go to it and see if their data was affected by this.

It is certainly time for a robust international conversation about how best to regulate social media platforms, and data privacy more generally. Major technology companies- including Facebook, Google, Twitter, SNAP and others- define the information ecosystem in much of the world. Hardly regulated and hardly accountable, these companies are completely transforming the public sphere. While these platforms present new opportunities to connect people around the world, they also create attack surfaces for bad actors that wish to spread misinformation, encourage terrorism, engage in online harassment, steal personal data, restrict free speech and suppress dissent.

We've set up a new site to continue the discussion- RegulateSocialMedia.org. Join us there and on Twitter at @RegulateSocial. Please join us there to engage with future actions and learn more about how we can make sure our technology platforms reinforce the health of our democracy and protect our data.

Facebook has revealed that in 2015 a University of Cambridge researcher, Aleksandr Kogan, passed user data to third parties, including SCL Group/Cambridge Analytica and Christopher Wylie of Eunoia Technologies, in violation of the company's platform policies. Cambridge Analytica, Kogan and Eunoia certified to Facebook that they destroyed the data, but they did not. Three years later, the public is only now being made aware of this breach.

Cambridge Analyica was a contractor to President Donald Trump's 2016 election campaign. Indeed, its CEO, Alexander Nix, made efforts to contact Wikileaks founder Julian Assange to help distribute hacked DNC emails to help Donald Trump get elected. Because of the sensitive nature of these parties, and because it should be liable to its users for such breaches, Facebook has a duty to inform all users affected by this breach.

Notification should include all users whose data was directly or indirectly shared with these parties, and how that information was used to target them with political advertising by Cambridge Analytica, the Cruz or Trump campaigns, or any other entity that CA did business with.